## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. kpkg="linux-image-$(dpkg --print-architecture)" || true kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || true #echo "## kver: $kver" ## This configuration file is split into 3 sections: ## 1. Kernel Space ## 2. Direct Memory Access ## 3. Entropy ## 4. Networking ## See the documentation below for details on the majority of the selected commands. ## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html ## https://wiki.archlinux.org/title/Kernel_parameters#GRUB ## 1. Kernel Space: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-parameters ## Disable merging of slabs with similar size. ## Reduces the risk of triggering heap overflows. ## Prevents overwriting objects from merged caches and limits influencing slab cache layout. ## ## https://www.openwall.com/lists/kernel-hardening/2017/06/19/33 ## https://www.openwall.com/lists/kernel-hardening/2017/06/20/10 ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" ## Zero memory at allocation time and free time. ## Fills newly allocated pages, freed pages, and heap objects with zeros. ## Mitigates use-after-free exploits by erasing sensitive information in memory. ## ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6471384af2a6530696fc0203bafe4de41a23c9ef ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1" ## Enable the kernel page allocator to randomise free lists. ## During early boot the page allocator has predictable FIFO behaviour for physical pages. ## Limits some data exfiltration and ROP attacks that rely on inferring sensitive data location. ## Also improves performance by optimising memory-side cache utilisation. ## ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e900a918b0984ec8f2eb150b8477a47b75d17692 ## https://en.wikipedia.org/wiki/Return-oriented_programming#Attacks ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1" ## Enable kernel page table isolation to harden against kernel ASLR (KASLR) bypasses. ## Mitigates the Meltdown CPU vulnerability. ## ## https://en.wikipedia.org/wiki/Kernel_page-table_isolation ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on" ## Enable randomisation of the kernel stack offset on syscall entries. ## Hardens against memory corruption attacks due to increased entropy. ## Limits attacks relying on deterministic stack addresses or cross-syscall address exposure. ## ## https://lkml.org/lkml/2019/3/18/246 ## https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX randomize_kstack_offset=on" ## Disable vsyscalls to reduce attack surface as they have been replaced by vDSO. ## Vulnerable to ROP attacks as vsyscalls are located at fixed addresses in memory. ## ## https://lwn.net/Articles/446528/ ## https://en.wikipedia.org/wiki/VDSO ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none" ## Restrict access to debugfs by not registering the file system. ## Deactivated since the file system can contain sensitive information. ## ## https://lkml.org/lkml/2020/7/16/122 ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## Force the kernel to panic on "oopses". ## Can sometimes potentially indicate and thwart certain kernel exploitation attempts. ## Also cause panics on machine check exceptions. ## Panics may be due to false-positives such as bad drivers. ## ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 ## ## See /usr/libexec/security-misc/panic-on-oops for implementation. ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic" ## Modify machine check exception handler. ## Can decide whether the system should panic or not based on the occurrence of an exception. ## ## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/machinecheck.html ## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/boot-options.html#machine-check ## https://forums.whonix.org/t/kernel-hardening/7296/494 ## ## The default kernel setting will be utilised until provided sufficient evidence to modify. ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" ## Prevent sensitive kernel information leaks in the console during boot. ## Must be used in combination with the kernel.printk sysctl. ## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. ## ## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html ## https://wiki.archlinux.org/title/silent_boot ## ## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet" ## Disable support for x86 processes and syscalls. ## Unconditionally disables IA32 emulation to substantially reduce attack surface. ## ## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/ ## ## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness). ## #ia32_emulation=0 ## 2. Direct Memory Access: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks ## Enable CPU manufacturer-specific IOMMU drivers to protect against DMA attacks. ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX amd_iommu=force_isolation" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on" ## Enable and force use of IOMMU translation to protect against DMA attacks. ## Strictly force DMA unmap operations to synchronously invalidate IOMMU hardware TLBs. ## Ensures devices will never be able to access stale data contents. ## ## https://en.wikipedia.org/wiki/Input%E2%80%93output_memory_management_unit ## https://en.wikipedia.org/wiki/DMA_attack ## https://lenovopress.lenovo.com/lp1467.pdf ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu=force" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.passthrough=0" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.strict=1" ## Disable the busmaster bit on all PCI bridges during the early boot process. ## Patches weak-point in some existing IOMMU implementations. ## May lead to issues such as complete system boot failure on certain devices. ## ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94 ## https://mjg59.dreamwidth.org/54433.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" ## 3. Entropy: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#rdrand ## Do not credit the CPU or bootloader seeds as entropy sources at boot. ## The RDRAND CPU (RNG) instructions are proprietary and closed-source. ## Numerous implementations of RDRAND have a long history of being defective. ## The RNG seed passed by the bootloader could also potentially be tampered. ## Maximising the entropy pool at boot is desirable for all cryptographic operations. ## These settings ensure additional entropy is obtained from other sources to initialise the RNG. ## Note that distrusting these (relatively fast) sources of entropy will increase boot time. ## ## https://en.wikipedia.org/wiki/RDRAND#Reception ## https://systemd.io/RANDOM_SEEDS/ ## https://arstechnica.com/gadgets/2019/10/how-a-months-old-amd-microcode-bug-destroyed-my-weekend/ ## https://x.com/pid_eins/status/1149649806056280069 ## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html ## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566 ## https://github.com/NixOS/nixpkgs/pull/165355 ## https://lkml.org/lkml/2022/6/5/271 ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" ## Obtain more entropy during boot as the runtime memory allocator is being initialised. ## Entropy will be extracted from up to the first 4GB of RAM. ## Requires the linux-hardened kernel patch. ## ## https://www.kicksecure.com/wiki/Hardened-kernel#linux-hardened ## https://github.com/anthraxx/linux-hardened/commit/c3e7df1dba1eb8105d6d5143079a6a0ad9e9ebc7 ## https://github.com/anthraxx/linux-hardened/commit/a04458f97fe1f7e95888c77c0165b646375db9c4 ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy" ## 4. Networking ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-boot-parameters ## Disable the entire IPv6 stack functionality. ## Removes attack surface associated with the IPv6 module. ## ## https://www.kernel.org/doc/html/latest/networking/ipv6.html ## https://wiki.archlinux.org/title/IPv6#Disable_IPv6 ## ## Enabling makes redundant many network hardening sysctl's in usr/lib/sysctl.d/990-security-misc.conf. ## #ipv6.disable=1